PadCrypt Ransomware

PadCrypt Ransomware is a unique ransomware-type Trojan that offers its victims live help with paying the ransom. This is a jaw-dropping new development, but this does not mean that you cannot remove it. In fact, you can get rid of it pretty easily, and we will show you how to do it. It seems that cyber criminals have started using this strategy for making more money, and this new “support” function may potentially increase their revenue, which is very bad news indeed. In this article, we will provide you with the most relevant information about this new ransomware including distribution methods and functionality. So, without further ado, let us get to it.

We have received unconfirmed information that PadCrypt Ransomware is distributed using email spam that contains a malicious link to an archive that contains a PDF file in disguise. This PDF file is an executable file that downloads this ransomware’s files from the cyber criminals’ control-and-command servers (Annaflowersweb.com, Subzone3.2fh.co, Cloudnet.online.) Once inside your computer, this malware will begin doing its dirty work.

While researching this infection, we found that it is similar to CryptoWall, a relatively old ransomware that had a similar “support” function. CryptoWall was the first ransomware to have a “customer support” function to help the victims to pay the ransom. However, that support system was website-based. PadCrypt Ransomware, on the other hand, allows users to chat with the cyber criminals in real time using its graphical user iterface. Of course, the cyber criminals help their “customers” any way they can (how noble of them.) However, we recommend that you decline their help and consider not paying the ransom, especially since it is 0.8 BTC (Bitcoins) which is an approximate $320 USD or 285 Euros. Note that currently this support system does not work since the control-and-command servers are down.

Nevertheless, PadCrypt Ransomware’s servers can be reactivated, and it will spring back into life and carry on like its business as usual. We have found that this ransomware drops two files in %AppData%\PadCrypt. The main executable file is named package.pdcr. Note that the file extension is not .exe, but .pdcr. still, it works as an executable file. We would also like to mention that the other file, uninstl.pdcr is an uninstaller. We do not know the reason for including it since malware developers do not want their infections to be uninstalled.

However, if you run uninstl.pdcr, then it will delete package.pdcr but your files will remain encrypted and, unfortunately, there is no way to decrypt them without having the decryption key which is stored on the control-and-command servers. Therefore, if your computer is infected with this ransomware, then do not try to pay the ransom because you definitely will not get the decryption key.

Note that PadCrypt Ransomware uses the AES symmetric encryption algorithm. This is one of the strongest encryption ciphers out there and there is no way to decrypt it using third-party software. This ransomware is set to encrypt all file formats regardless of their extension. It will encrypt files in the following locations:

C:\Users\{user name}\Downloads.

C:\Users\{user name}\Documents.

C:\Users\{user name}\Pictures.

C:\Users\{user name}.

However, that is not all, while testing this infection we found that after encrypting all of the files in the aforementioned locations, it will detect all files not located in C:\Recycler, C:\Users, C:\NVIDIA, C:\Intel, C:\Documents and Settings, C:\Windows, C:\Program Files (x86), C:\Program Files, and C:\System Volume Information. While encrypting, PadCrypt Ransomware will make sure to delete Shadow Volume Copies of your files so that you could not restore them. After the encryption is complete, the infection will drop a file named IMPORTANT READ ME.txt, which states what has happened and what you should to get your files back.

PadCrypt Ransomware a unique ransomware, but it is not undefeatable. However, if your computer has been infected with this ransomware and it has encrypted your files, then, unfortunately, you cannot decrypt them. All, you can do at this point is to remove it using our recommended software or manual removal guide.

Boot up your computer is Safe mode with Command Prompt

Windows 7/Vista/XP

Open the Start menu and click Restart.

While the computer is booting, press and hold the F8 key.

Once in the Choose Advanced Options screen, use the arrow keys to highlight Safe Mode with Networking and press Enter.